javascript nodeJS - 我可以把内容安全策略放在哪里
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/21048252/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
nodeJS - where exactly can I put the Content Security Policy
提问by user2520410
I don't know where to apply the Content Security Policy (CSP) snippet below in my code;
我不知道在我的代码中在哪里应用下面的内容安全策略 (CSP) 片段;
Content-Security-Policy: script-src 'self' https://apis.google.com
Should it be in the HTML?
它应该在 HTML 中吗?
Will it be best implemented in JavaScript as in the code snippet below?
它是否最好在 JavaScript 中实现,如下面的代码片段所示?
var policy = "default-src 'self'";
http.createServer(function (req, res) {
res.writeHead(200, {
'Content-Security-Policy': policy
});
});
回答by Juan Manuel Arias
You just need to set it in the HTTP Header, not the HTML. This is a working example with express 4 with a static server:
您只需要在 HTTP 标头中设置它,而不是在 HTML 中。这是带有静态服务器的 express 4 的工作示例:
var express = require('express');
var app = express();
app.use(function(req, res, next) {
res.setHeader("Content-Security-Policy", "script-src 'self' https://apis.google.com");
return next();
});
app.use(express.static(__dirname + '/'));
app.listen(process.env.PORT || 3000);
If you want more information about CSP, this is an excelent article: http://www.html5rocks.com/en/tutorials/security/content-security-policy/
如果您想了解有关 CSP 的更多信息,这是一篇很棒的文章:http://www.html5rocks.com/en/tutorials/security/content-security-policy/
Hope that helps!
希望有帮助!
回答by rags2riches
For a node.jsapplication withoutusing any external framework e.g. express:
对于不使用任何外部框架的node.js应用程序,例如express:
const http = require('http');
http.createServer((request, response) => {
request.on('error', (err) => {
console.error(err);
// for this simple example I am not including the data event
// e.g. if the request contains data in the body
}).on('end', () => {
response.on('error', (err) => {
console.error(err);
});
// you can set your headers with setHeader or
// use writeHead as a "shortcut" to include the statusCode.
// Note writeHead won't cache results internally
// and if used in conjuction with setHeader will take some sort of "precedence"
response.writeHead(200, {
"Content-Security-Policy": "default-src 'self'"
// other security headers here...
});
response.end("<html><body><h1>Hello, Security Headers!</h1></body></html>");
});
}).listen(8080);
See the node.js documentationfor more details on setting headers on the response object
有关在响应对象上设置标头的更多详细信息,请参阅 node.js 文档
回答by Kevin Farrugia
If you are using Express, I suggest taking a look at helmet. In addition to increased options & flexibility (handling CSP violations, nonces...etc), there are a lot of inconsistencies in how browsers implement CSP. Helmet looks at the user-agent of the browser and sets the appropriate header and value for that browser. If no user-agent is matched, it will set all the headers with the 2.0 spec.
如果您使用 Express,我建议您看一下头盔。除了增加的选项和灵活性(处理 CSP 违规、随机数等)之外,浏览器如何实现 CSP 还存在很多不一致之处。Helmet 查看浏览器的用户代理并为该浏览器设置适当的标头和值。如果没有匹配到用户代理,它将使用 2.0 规范设置所有标头。
// Make sure you run "npm install helmet-csp" to get the csp package.
const csp = require('helmet-csp')
app.use(csp({
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", 'maxcdn.bootstrapcdn.com']
}
}))
